HEAnet is Ireland’s National Education and Research Network, providing broadband connectivity as well as information and communications technology services for education and research organizations across Ireland. Its shared services support some 4,000 schools and colleges, and more than 1 million students and staff.
Funded by the Irish government’s Department of Education and the Higher Education Authority, HEAnet’s connectivity and ICT shared services must be properly secured and monitored, with appropriate levels of security.
“Content security is key,” says Liam Kennedy, project manager for the schools’ network at HEAnet. “We need to give schools a level of assurance that their users aren’t accessing information they shouldn’t be accessing. There are a range of URL categories that are blocked within Irish schools, and it is Department of Education policy that students don’t access this content.”
For HEAnet, this is a complex task that requires considerable flexibility. Primary schools may require different access policies from secondary schools, which are different again from further education colleges. Some schools allow a certain amount of social networking while others ban it. Other challenges include the ability to cope with usage spikes, bring-your-own-device policies, the increasing use of smartphones and other personal devices, and growth in classroom technology, all contributing to a dramatic increase in network traffic.
To respond to these challenges, HEAnet needed a partner that could provide powerful technology backed by effective support, and a few years ago, it decided to use Palo Alto Networks® PA-5000 Series next-generation firewalls to support its needs. So, it made sense when HEAnet looked at upgrading its systems recently, it issued a European tender considering various options, a process that was won by Palo Alto Networks and its Irish partner, Threatscape®. In proof-of-concept trials, the Palo Alto Networks Next-Generation Firewall exceeded expectations, and HEAnet upgraded to the more powerful Palo Alto Networks PA-7000 Series, increasing scope from 15 Gbps to 30 Gbps – with the ability to upgrade further to 100 Gbps – and dealing with a peak of 600,000 individual connections on a typical day.
“We had a set of functionality requirements regarding content security and threat management. We needed a system that would support 30 Gbps throughput and would fit into our systems without redesign. Good support, scalability and cost were key elements in the decision to continue to invest in our future with Palo Alto Networks,” explains Kennedy.
The new HEAnet platform consists of two top-of-the-range PA-7080 next-generation firewalls deployed in separate data centers – one live and one backup. Each contains three Network Processing Cards. The organization also subscribes to Palo Alto Networks URL Filtering with PAN-DB. Dublin distributor NextGen, which also delivers ongoing first-line support, provided implementation services.
The Palo Alto Networks Security Operating Platform enables HEAnet to filter websites via URL Filtering, either allowing or blocking web users’ access by checking addresses against a pre-categorized central database, thus providing a safe internet environment. Palo Alto Networks Next-Generation Firewall allows HEAnet to access the latest innovations of the Security Operating Platform, enabling the organization to prevent cyberthreats by harnessing intelligence gathered from thousands of customers. Threat Prevention protects networks from advanced threats by identifying and scanning all traffic across all ports and protocols. WildFire® cloudbased threat analysis service delivers protections against newly discovered malware every five minutes, preventing successful cyberattacks against the HEAnet network.
“The Security Operating Platform delivers the flexibility we need, and we’ve been very happy with its ability to identify specific traffic flows. Our systems analyze everything, and once they’ve identified the different kinds of traffic, we can apply policies to them,” says Kennedy. “Traffic visibility is a key benefit. It ensures a level of control and provides schools the assurance that traffic is being properly secured and students are being protected.” The linear scalability the PA-7000 Series offers – up to 100 Gbps, with new blades easily added – is another major benefit. “HEAnet’s new platform will cope with anticipated growth for the next four years,” says Kennedy.
Great Visibility and Support
Ease of management is also important, Kennedy explains. “We have a relatively small team, so we don’t do things manually. The ability to configure automatically gives us great visibility of what the systems are doing. We can take information out of our database and push it into the Palo Alto Networks platform via the platform’s excellent API on a regular basis. If schools need to make changes to the way their filtering is carried out, our support desk can do that through a console.”
Kennedy is impressed with the support provided by Palo Alto Networks, particularly in identifying applications that are not immediately recognized.
He concludes: “The Palo Alto Networks Next-Generation Firewall does what it’s supposed to do. The support from Palo Alto Networks is excellent, and we will be using them for the foreseeable future. This support allows us to continually upgrade schools without having to worry if we have the required security capacity. Firewalls and content security are tricky things to get right. Palo Alto Networks has done a great job.”